Monday, March 23, 2015

Note: This is applicable for mainly PeopleTools 8.53 and it may or may not work with lower PeopleTools (8.52 or lower) or higher PeopleTools 8.54. Also this pertains to WebLogic and may not be applicable for Web Sphere.

WebLogic version used is 10.36.0

Step 1: Update the WebLogic to latest Patch Set update. If you already have WebLogic patch set update installed, you will need to uninstall it including one off patches and reinstall the latest Patch Set update for e.g. 10.3.6.0_10 for WebLogic 10.3.6. In case of WebLogic 10.3.6.0_10 please also apply the below one off patches to avoid SSLEngine is closed errors.

If you do not do this WebServer becomes unresponsive or takes longer to respond. Connection Reset errors will be seen in Chrome/FireFox/IE/Safari browsers when you will be using any ECDHE cipher suites.

Removing this Jar file, may impact some cryptographic functions though everything is working fine in our environment including webservice security. This is supposed to be part of wss4j-1.5.9.jar (Apache Web Services Security module) which is bundled with PeopleTools. This issue was observed in those web servers where we have enabled Integration broker gateway servers and use web services that involves security.

Restart the WebLogic after all the changes are complete and SSL certificate is imported in pskey using pskeymanager.sh

Also if there are any other applications are connecting to you using SSL or https, they will need to support SHA256 which in WebLogic 10.3.4 or higher is to enable JSSE support in WebLogic console or if your version is lower than 10.3.4 , use Sun HTTP Handler which automatically enables JSSE support.

How to Change Weblogic to Use the Sun SSL Implementation Rather Than Certicom (Doc ID 1242974.1)

The SSL implementation and SSL Handler can be changed by setting the following flags on startup: -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol -Dssl.SocketFactory.provider=com.sun.net.ssl.internal.SSLSocketFactoryImpl -DUseSunHttpHandler=true Also for Webservice clients, include: -Dweblogic.wsee.client.ssl.usejdk=true

In the end Test! Test! Test! that all of this works correctly.

In summary supporting SHA256 support using WebLogic 10.3.6 or lower requires series of changes to make this work. Plan ahead and allocate enough resources to handle this migration. This will become important as major browsers will start flagging SHA1 certificates as insecure.

Useful resources : http://www.ssllabs.com and test your public website using their site scanner. Enable support for TLS 1.0, 1.1 and 1.2 and disable SSL 3.0 support in IE. For firefox/Chrome upgrade to latest version to automatically disable support for SSL 3.0.

If you encounter specific issues related to SHA256 implementation with WebLogic and PeopleSoft leave comments and I can try to provide help.

List of Bugs fixed in Patch Set Update - Doc ID 1942223.1

Some of the Error Messages I have encountered if settings are not correct are

javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received. (If JSSE is not enabled. Certicom SSL implementation does not support SHA256).